New criminal penalties for breaches should be introduced says Justice Committee

The Justice Select Committee today calls for a package of measures to give the Information Commissioner new enforcement powers over protection of private data and strengthen the criminal penalties for significant security breaches in the wake of the loss of millions of personal and financial records by HM Revenue and Customs (HMRC). The Report sets out key points from the evidence it received from Richard Thomas, the Information Commissioner.

The Committee is "extremely concerned" that there are more cases involving personal data loss by government bodies or contractors which are still coming to light and that the Information Commissioner's warning this summer about the danger of extensive security lapses in a wide range of organisations have been proved correct. The Committee concludes that "there is evidence of a widespread problem within Government relating to establishing systems for data protection and operating them adequately".

The Committee also says that concerns were raised two years ago in a report by Dr Mark Walport, who is now heading the Government's main review of data protection, about the risks of what the acting Chairman of HMRC has now admitted were "systemic" failings in the handling of personal data.

The Committee calls for:

new reporting requirements that would require companies to report losses of data

new laws making significant security breaches, where reckless or repeated, a criminal offence

quick implementation of the new enforcement powers for the Information Commissioner to conduct unannounced spot checks on Government Department's data systems

proper resources for the Office of the Information Commissioner

Rt Hon Alan Beith MP, Chairman of the Committee, said:

"The scale of the data loss by Government bodies and contractors is truly shocking but the evidence we have had points to further hidden problems. It is frankly incredible, for example, that the measures HMRC has put in place (as described in the Chancellor's statement of December 17) were not already standard procedure.

We look forward to the Cabinet Secretary's full report on the procedures for the storage and use of personal data across all Government departments.

We will monitor the situation closely to ensure that effective action is taken to protect information which is the property of members of the public."